CVE-2026-28219
中文标题:
(暂无数据)
英文标题:
Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners
漏洞描述
中文描述:
(暂无数据)
英文描述:
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST request, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing intended administrative restrictions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. There are no practical workarounds to prevent this behavior other than applying the security patch. Administrators concerned about unauthorized promotions should audit recent changes to site banners and global notices until the fix is deployed.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| discourse | discourse | < 2025.12.2 | - | - |
cpe:2.3:a:discourse:discourse:<_2025.12.2:*:*:*:*:*:*:*
|
| discourse | discourse | >= 2026.1.0-latest, < 2026.1.1 | - | - |
cpe:2.3:a:discourse:discourse:>=_2026.1.0-latest,_<_2026.1.1:*:*:*:*:*:*:*
|
| discourse | discourse | >= 2026.2.0-latest, < 2026.2.0 | - | - |
cpe:2.3:a:discourse:discourse:>=_2026.2.0-latest,_<_2026.2.0:*:*:*:*:*:*:*
|
| discourse | discourse | * | - | - |
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
|
| discourse | discourse | 2026.2.0 | - | - |
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
4.0 (cna)
LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-28219 |
2026-02-27 03:19:47 | 2026-02-26 22:00:01 |
| NVD | nvd_CVE-2026-28219 |
2026-02-27 02:00:05 | 2026-02-26 22:00:03 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 3 -> 5
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']